Facebook privacy coming to a head, changes may be imminent

Facebook's privacy issues have really come to a head thanks to the most recent …

Facebook has found itself facing some tough choices when it comes to the direction of the company, specifically revolving around user privacy. As most Netizens know, Facebook has faced harsh criticism in recent months—which may be coming to a head after having built up slowly over the years—regarding how it handles user information. Now, the company is left deciding whether it wants to revert to its old principles and go against founder Mark Zuckerberg's policy of forging ahead, privacy be damned.

Facebook public policy head Tim Sparapani said in a radio interview Tuesday that the company was working on simplifying its privacy controls because of user complaints about their complexity. "I think we are going to work on that. We are going to be providing options for users who want simplistic bands of privacy that they can choose from and I think we will see that in the next couple of weeks," he said.

Sparapani's utterances come on the heels of Facebook working to fix a privacy bug, discovered by Alert Logic earlier this week, one that allowed attackers to expose private information on a user's profile. The flaw was as simple as sending users a specially crafted link which, when clicked, would modify the user's privacy settings.

But despite these fixes and potential tweaks to Facebook's settings, users have found themselves on a very different site than the one they used even a year ago. (And for those of us who have used Facebook since 2004, it may as well be a completely different company.) What happened to Facebook being the only social network to actually protect user information and leave everything opt-in instead of opt-out? Now, Facebook is widely known for putting user information at risk, making too many settings public by default, and for not sufficiently educating users on how to keep their information private.

Luckily, there are now third-party tools that help users patch up their Facebook settings, such as the incredibly helpful bookmarklet from Reclaim Privacy that lets users see what their settings are and change them automatically. These tools shouldn't be necessary, however. Users should have everything private by default and be able to change their settings so that things are more public based on their own comfort level, not the other way around.

It's unlikely that such a user-friendly utopia will arrive anytime soon, though, especially given Zuckerberg's now-legendary disregard for privacy. According to insiders speaking to the Wall Street Journal, Zuckerberg has occasionally overruled others within Facebook who have argued that information should remain private by default. He has also historically resisted implementing some of the simpler universal controls that Facebook is currently considering. That said, Zuckerberg was the one who called last week's company meeting to discuss the current state of Facebook privacy and user trust, so it's possible that he's beginning to warm to the idea of giving users what they want.

We asked Facebook to confirm whether it had some changes in the offing. "We have heard from our users that our efforts to provide granular control have made things too complex," Facebook spokesperson Andrew Noyes told Ars via e-mail. "Of course we’re working on responding to these concerns but we don’t have anything further to announce."

The clock is ticking on the social networking giant. The complaints are building up, users are starting to defect, and the FTC may soon get involved. Facebook can't afford not to make changes.

They made their name on a default of privacy. Now that they got the data, flipping it around shows Zuckerberg's true colors. I disabled my Facebook account months ago and I hope to convince my wife to do the same with hers but that's unlikely until there is an alternative that gains momentum.

I'm betting their "clean up" effort is going to be similarly deceptive and not what users want. Facebook's character is a reflection of Zuckerberg's own character, and his actions show he is clearly a sociopath. As long as he is there, Facebook will continue to be a menace to the internet. This is a case of the age-old computer industry paradigm: the founding engineer, who needs to step aside and let some real business people run the company, but is absolutely clueless.

Should my address and phone number be public? No. Does it matter if the public sees the status about how I made waffles for breakfast? No. The biggest problem most Facebook users are suffering from is an over valuation of the minutiae of their lives. What a person has for breakfast is not personal information in the same way a social security number is so lets stop pretending all info is equal. Also, let's not forget it's called a "social" network. That means *gasp* sharing some info and *faint* maybe getting to know people.

Well, of course they will continue to erode user privacy, with all these folks invested in their service, they will seek to leverage their data and meta-data to sell them things. That doesn't bother me as much as their non-deletion habits. Didn't Ars do a piece a while back on how a photo 'deleted' on Facebook is never actually removed, or even private for that matter?

[ ] Make nothing private[ ] Make everything public[ ] Remind me later that everything is already public[ ] Make everything public without reminding me that I thought it was private[X] Ask me whether I thought it wasn't public[ ] Will you still love me...tomorrow?

Should my address and phone number be public? No. Does it matter if the public sees the status about how I made waffles for breakfast? No. The biggest problem most Facebook users are suffering from is an over valuation of the minutiae of their lives. What a person has for breakfast is not personal information in the same way a social security number is so lets stop pretending all info is equal. Also, let's not forget it's called a "social" network. That means *gasp* sharing some info and *faint* maybe getting to know people.

Well, most people are concerned about the exposure exactly of their address and phone number.

Also a lot of people get offended at the idea that what they post is used to sell stuff back at them, but Google's been doing that for years. I personally consider the status messages as small fry and relatively unimportant compared to them wanting to mine your location, address, phone number, and other historical data (including where you went to school and where you used to live).

The law is coming for them, and they know it. Germany is certainly not going to tolerate FB much longer. It's also a matter of time before lawsuits start appearing over the damage caused by their policies.

Facebook has shown itself to be completely untrustworthy with people's private information, and they deserve all the kicks to the head they're about to get. As a corollary, anybody who ever trusts them again (at least while Z runs the place) deserves to have their identity info printed on a LifeLock truck-ad.

I wouldn't be surprised if the VCs and board members force Zuckerberg out by the end of the year. At this point he is toxic to the brand.

Project Diaspora is currently dreams and ideas. We'll see at the end of the summer if there is going to actually be anything to it. (I personally wish them the best of luck, but I don't think we should be celebrating just yet.)

Your address/phone number are already public. It's called the phone book. What's BS about facebook is the privacy policy changes almost weekly and it's 'hot new features' (i.e. browser tracking) are opt out when they should be opt in. Or preferably not exist at all. Facebook then sells this data to anyone interested, including employers looking to spy on employees and insurance companies spying on customers.

I don't quite get why people have any expectation of privacy when it comes to Facebook. I've never assumed what little information I put there to be at all private, and I feel a bit uncomfortable if someone sends me private information via messages. I'd much rather they just came out and said everythin is going to be public and be done with it. (With luck, enough people would stop using it that it would kill Facebook).

Common convention has always been do not publish your real name and details on the internet. Facebook changed that because it was safe - you had a profile only people you mutually confirmed as close enough friends could view, and you would have never thought that this information would be public.

Slowly that's become the case. I've had to remove a lot of specific information because even with maximum security features I don't trust Facebook, but I still have a huge amount of information on there which I wouldn't have if Facebook didn't first set the precedent with strict privacy.

Twitter is of course a lot more public, but it always was that way and it has always been the expectation. I treat every tweet as a public broadcast that potential new employers (and enemies, and everybody else) can and will judge me on. With facebook I'm slowly coming around to the same behaviour but it's set up in a way that prevents this.

I think the answer will come with a more decentralised social networking platform, like Twitter but with more functionality and less centralisation and control by one company. When there is a common protocol with strict rules, then it isn't up to one company to slowly erode privacy, or to treat users like their product, but only up to software developers and website managers to make money from their product.

I agree with peredur. I still can't believe people have any expectation of privacy of things they put onto the Internet, but I guess people are gullible. Never post anything to the Internet that you aren't comfortable with your mother or boss reading.

@fuxx: Twitter is NOT a replacement for Facebook. Anything that you can fit in 140 characters probably isn't worth reading. The fact that people bypass the limit by re-writing URLs to external blog sites is indicative of how abused their service is. Thanks, if I wanted a feed of greatest hits links I would load my home page of RSS feeds.

I agree with peredur. I still can't believe people have any expectation of privacy of things they put onto the Internet, but I guess people are gullible. Never post anything to the Internet that you aren't comfortable with your mother or boss reading.

I've never used Facebook and in general I follow something similar to the policy you advocate, but in general it isn't entirely that simple.

Most importantly, what exactly do you mean by, "post anything to the Internet?" Are you including, for example, email to close friends and family or is this just a web thing? If it is only a web thing, is webmail acceptable? Or as end users should we be responsible for using encrypted transport and storage of all personal information? If the internet can't be used for personal communication it loses much of its utility, but there has to be some level of trust in the infrastructure and services that people rely on.

Facebook then sells this data to anyone interested, including employers looking to spy on employees and insurance companies spying on customers.

I've heard rumors about the whole "employers buying access to private FB data" thing among tech circles, but no concrete evidence of it. I can't believe Zuck would be that stupid; the legal liability for lost wages, damaged professional reputations, etc. would be astronomical.

Facebook then sells this data to anyone interested, including employers looking to spy on employees and insurance companies spying on customers.

I've heard rumors about the whole "employers buying access to private FB data" thing among tech circles, but no concrete evidence of it. I can't believe Zuck would be that stupid; the legal liability for lost wages, damaged professional reputations, etc. would be astronomical.

If you can prove it. Employers are notoriously tight lipped about hiring and firing policy even if it's legitimate, much less for reasons that aren't.

One option people have about private information on Facebook is to (gasp) not put it there to begin with. Some of the information they end up mining or is SOP for any social networking site, but the worst of it is voluntary. If you don't like having that information on there, don't add it. (I mean, heck, it's just Facebook, lie if you have to.)

Most importantly, what exactly do you mean by, "post anything to the Internet?" Are you including, for example, email to close friends and family or is this just a web thing? If it is only a web thing, is webmail acceptable? Or as end users should we be responsible for using encrypted transport and storage of all personal information? If the internet can't be used for personal communication it loses much of its utility, but there has to be some level of trust in the infrastructure and services that people rely on.

Email depends on who you use as an email provider and their privacy policies. Regardless of policy everything that you transits the email server is accessible to the organisation that manages it. The only way to guarantee privacy would be to use encrypted transports between private servers.

I don't understand the willingness of people to entrust Google with their private email. Similarly I don't understand the willingness to put anything on Facebook that you don't want to be made public.

I don't understand the willingness of people to entrust Google with their private email. Similarly I don't understand the willingness to put anything on Facebook that you don't want to be made public.

These two examples share a common foundation: free.

You should always consider how a service you use makes money. If you pay, or it is included in something you pay for, then you can be reasonably certain they don't care about selling you out for advertising dollars.Of course, when you have a very highly developed, expensive service being provided for free, you have to worry. I mean, facebook hosts photos, videos and serves a huge amount of users, in the real world this shouldn't be free, and wouldn't be unless they got their money from mining data.

You look at Google with their huge array of services, extremely lavish work culture (hiring the best of the best, all of the well known benefits for their employees, etc), and one of the best research and development programmes in the world, all under the proviso that charging customers for services and products is outdated.MobileMe charges $100/year (ish, AUD) for push email, calendar & contacts syncing, web hosting, upload space for photos and videos, etc. Google can provide all of these services and more for free, and people think that the occasional short little contextual text ad pays for all of that?

For Google and Facebook alike the user is the product, not the customer.

I like facebook. Its a great tool to keep up with friends. Mostly because all of them are in there. Even if there was a decentralized, privacy conscious open source alternative (lol) my friends would still be in facebook. I still remember how hard it was to keep up with their contact data before facebook.

So no I will not brand this site as outlawed because they increasingly annoy me with their privacy settings. I am still able to configure the privacy settings in a way that people cannot easily see what I have up there. When they changed the privacy settings they asked after all. Sure their default settings were insane but it wasn't hard to configure it back to something sensible. And seriously they can show my religious views to everyone (as if I would put them up there).

Facebook is a huge enterprise and no garage company anymore, they do idiotic things, there is a backlash and they change their policies. That's how the real, non-geek world works. If they do not change tack and go all evil (for example by not allowing me anymore to keep information private) then I will leave them. But not now because I have the notion that they somehow have become evil or something like that.

They are a big company no small garage company. And they provide a valuable service. It is fair to give them the chance to put it right. And btw I put nothing up there that would make me die of embarrassment. That's the important part.

I can understand some of the privacy concerns but I think it is being over-hyped because of its high profile, in the same way that Google came under similar disproportional criticism for naive privacy mistakes with the introduction of Buzz.

Nothing about facebook is different to myspace or bebo that have/had similar exposure of users without explicitly opting out. It is also of note that personal information and opinion is left by people everywhere across the internet from forums to twitter and usually requires very little work to tie these accounts to a single person.

If you only knew what they do with your info alreadyfacebook is the shepard and you the sheep lol

Honestly I do not care what they do with my information. Its not like I have anything really incriminating put up. I only care that they do not show this to everyone unless I allow it by friending someone. And currently thats easily configurable. Its all a question of risk vs. reward.

If you are not in facebook you are making it much harder for yourself to have social contact to other people, because lets face it most people I come in contact with that are of my age, have a college degree etc. are in there. And facebook is the way a lot of social interaction is currently taking place.

Now that's the reward, if you can live without that, its your decision. For me this currently outweighs the risk. The worst thing I have up there is my email address I wouldn't want in the publicly accessible internet and some pictures that were shot late at night but that are not really raunchy. I don't know what you put up there but that's not worthy of such outrage.

@zukes: Well, what do they do? Sell it to advertisers? Why is this so awful? Oh noes, I'm seeing ads that are slightly more relevant to me! I don't understand how that's a bad thing. I started watching stuff on hulu recently and wished that they would get some info on me from facebook so the ads wouldn't all suck. How are we sheep if we don't care? I guess I'm a sheep for not just torrenting the show I want to watch instead of sitting through like 5 minutes of ads per hour though.

By default I only put info on facebook that I really wouldn’t care if some stranger knows, which is most info about me.

Maybe they are selling info to potential employers. I don’t really want to work for a company that buys this kind of information and then doesn’t hire me ‘cause I’m into Star Wars or Furries or something.

You make it sound it sound like they are taking my info behind a shed and raping it or something. Oh, the horrors!

I agree with peredur. I still can't believe people have any expectation of privacy of things they put onto the Internet, but I guess people are gullible. Never post anything to the Internet that you aren't comfortable with your mother or boss reading.

Do you have a GMail account? Do you mind if it gets indexed in the search engine so that I can read it? What? You put it on the Internet! Why did you expect privacy? While we're at it, Aetna's going to let your claim history get indexed since it's on the Internet as well.

I don't worry about facebook privacy. I literally have nothing on my profile except that I'm married to my wife. I basically use it to just see what people are up to. You can't even see my profile unless you are a friend of a friend. I'm pretty much costing facebook money at this point.